CVE-2023-32665

CWE-400 — Uncontrolled Resource Consumption CWE-502 — Deserialization of Untrusted Data CWE-122 — Heap-based Buffer Overflow11 documents8 sources

Severity

5.5MEDIUM

EPSS

0.1%

top 82.97%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Gnome Glib

Timeline

PublishedSep 14

Latest updateOct 19

Description

A flaw was found in GLib. GVariant deserialization is vulnerable to an exponential blowup issue where a crafted GVariant can cause excessive processing, leading to denial of service.

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:HExploitability: 1.8 | Impact: 3.6

Affected Packages2 packages

▶NVDgnome/glib< 2.74.4

▶Debianglib2.0< 2.66.8-1+deb11u1+3

🔴Vulnerability Details

OSV

CVE-2023-32665: A flaw was found in GLib↗2023-09-14

▶

CVEList

Gvariant deserialisation does not match spec for non-normal data↗2023-09-14

▶

GHSA

GHSA-c9xj-rf55-c64g: A flaw was found in GLib↗2023-09-14

▶

📋Vendor Advisories

Ubuntu

GLib vulnerabilities↗2023-10-19

▶

Microsoft

Gvariant deserialisation does not match spec for non-normal data↗2023-09-12

▶

Microsoft

A flaw was found in GLib. The GVariant deserialization code is vulnerable to a heap buffer overflow introduced by the fix for CVE-2023-32665. This bug does not affect any released version of GLib, but↗2023-09-12

▶

Ubuntu

GLib vulnerabilities↗2023-06-14

▶

Debian

CVE-2023-32665: glib2.0 - A flaw was found in GLib. GVariant deserialization is vulnerable to an exponenti...↗2023

▶